Only TCP uses fragments, but we don't need to check FOLLOW_TCP
because the fragments pointers exist but are null if not being
used. See the similar code in epan/follow.c
Part of making it simpler for dissectors to register with Follow.
The websocket protocol masking feature makes follow TCP stream
on websocket traffic show masked payload. To easily view unmasked
and reassembled websocket payload add follow websocket stream
support.
When dissectors register for Follow Stream, have them register a
function for finding the next valid sub stream id for a given
stream and substream id pair. This function is NULL if the dissector
does not use sub stream IDs.
Use this function in follow_stream_dialog to update the sub stream
id widget (and use the absence of the function to disable and hide
the widget.) Use this function in the CLI tap-follow to determine
whether to parse a sub stream id from the command line options.
This removes the dependencies on epan/dissectors from the Qt
follow_stream_dialog, and gets us closer to having dissectors
being able to register for Follow Stream without having to update
anything in the common source code.
Set a minimum width for the stream and substream number spinboxes in the
"Follow" and "TCP Stream Graphs" dialogs. This provides a larger click
target and should make editing easier.
Fixes#18265.
Instead of having the UI have to know about each type of follow
stream, and how to retrieve its total number of streams, have
each follow type register a function that returns the total
number of stream. (The function can be NULL, for protocols like
SIP that do not use this.)
This gets us closer to making follow stream registration generic.
The TCP and UDP follow conversation filter functions should
only retrieve a conversation and conversation data, not
create new conversations or new stream numbers. (That should
only happen during actual packet processing.) So they should
match on the endpoint type and not look up endpoints (since
TCP and UDP don't use the endpoint API.)
They still don't work with tunneling, or any other situation where
the addresses and ports have been changed (see #18231), but this
at least works when some other protocol _has_ used the endpoint
API, and also avoids creating nonsensical streams.
Making them work properly with tunneling either requires adding
packet info to each packet with the stream information, or using
the endpoint API (after finishing it to allow more than one endpoint
on the packet, and a way of searching for endpoints other than
the most recent.)
It's only necessary to check that cap_file_.capFile()->edt is
not NULL if use_stream_index is FALSE.
This prevents failure and an inaccurate error message about the
capture file being invalid when using the spinbox to cycle through
a stream when all packets are filtered out.(E.g., Follow a stream,
append to the filter looking for something, no packets match, try to
go to the next stream.)
The Qt implicit casts from QByteArray to QString all use
size = -1, meaning to the end of the string.
This causes gcc 12.1 with -O2 to produce a very dubious stringop-overread
warning, by computing both sides of a branch even when it shouldn't:
/usr/include/qt5/QtCore/qstring.h:706:69: error: ‘size_t strlen(const char*)’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
706 | return fromUtf8_helper(str, (str && size == -1) ? int(strlen(str)) : size);
| ~~~~~~^~~~~
There's also a similar error with QByteArray.constData(), even though
isEmpty() should return True when the QByteArray is NULL.
(Adding isNull() prevents the warning but is redundant.)
Use DIAG_OFF and DIAG_ON to ignore the warning on GCC 12.1 and higher.
Fix#18090.
Increase the minimum required version of Qt from 5.6 to the next
LTS version, 5.9. The various Linux distributions that have not
released an update to 5.9 or later (SLES 12, Debian stretch) are
nearing end of support, and can be supported by the Wireshark 3.6 LTS
release.
Qt 5.9 requires macOS 10.0, so make that the minimum macOS version
as well.
Remove unneeded version checks (except from QCustomPlot).
Move WiresharkApplication.{cpp,h} to MainApplication.{cpp,h}. Add back
WiresharkApplication as a thin superclass of MainApplication, similar to
LogsharkApplication. Change all of our wsApp references to mainApp. We
will likely have to change many or most of them back, but that's a
commit for another time.
Qt 5.10 added qsizetype, aka an ssize_t and Qt 6 makes extensive use of
it. Add a compatibility typedef and use it where we can. Cast it away
where we can't.
Qt5 recommended to use QRegularExpression instead of QRegExp.
Qt6 deprecated QRegExp and provides it in Qt5 compatibility module.
QRegularExpression is generally faster and safer to use as the results
are returned in separate QRegularExpressionMatch instead of modifying
interal QRegExp object state.
To enhance the Merge 4644, the isReadRunning variable scope is
changed to reduce the header footprint and make the code compliant
to the usual coding rules.
When changing one of the selection parameters in the Follow Stream
dialog while a filtering task is already running, the result is
inaccurate.
While a filtering task is already running in the Follow Stream
dialog, any filter change which triggers a new filtering gives a
wrong result. Both the displayed data and the Save As functions
are impacted. Closes#15637
"Follow Stream" functionality assumes that all data in a single packet
belongs to the same stream. That is not true for HTTP2 and QUIC, where
we end up having data from unrelated streams.
Filter out the unwanted data directly in the protocol dissector code with
a custom `tap_handler` (as TCP already does).
Close#16093
This functionality has been added in d2a660d8, where its limitations
are described.
Improvements:
* the Substream index menu now properly filters for available stream numbers;
* Follow Stream selects the first stream in the current packet
Known issue (which is still there): if a packet contains multiple QUIC
streams, then we will show data also from streams other than the selected
one (see #16093)
Note that there is no way to follow a QUIC connection.
Close#17453
Version info is an aspect of UI implementation so move it to
a more appropriate place, such as ui/. This also helps declutter
the top-level.
A static library is appropriate to encapsulate the dependencies
as private and it is better supported by CMake than object libraries.
Also version_info.h should not be installed as a public header.
Modify YAML output format so it includes information about peers and
absolute timestamps for each packet.
This also adds yaml output to tshark: -z follow,tcp,yaml,X
Changes:
- epan/follow.c: follow_conv_filter_func has new parameter
epan_dissect_t *edt, so filter can be generated based on decoded tree
of packet below the cursor
- menu Follow/SIP Call is enabled when sip packet is selected
- value of sip.Call-ID is used as filter for SIP call
- for sharkd it generates filter just 'sip.Call-ID' with no value
Remove the editor modeline blocks from most of the source files in ui/qt
by running
perl -i -p0e 's{ \n+ /[ *\n]+ editor \s+ modelines .* shiftwidth= .* \*/ \s+ } {\n}gsix' $( ag -g '\.(cpp|h)' )
then cleaning up the remaining files by hand.
This *shouldn't* affect anyone since
- All of the source files in ui/qt use 4 space indentation, which
matches the default in our top-level .editorconfig
- The one notable editor that's likely to be used on these files and
*doesn't* support EditorConfig (Qt Creator) defaults to 4 space
indentation.
This pull request includes:
* The "Follow DCCP stream" feature.
* Updated docbook documentation for the "Follow DCCP stream" feature.
* Test for the feature.
* Corresponding packet trace for the test.
The patch reintroduces WiresharkDialog::captureFileClosed() method and
calls captureFileClosing() and captureFileClosed() in right order.
Both methods call updateWidgets() at its end.
All dialogs were reviewed and captureFileClosing/Closed methods updated
when appropriate.
captureEvent() method in multiple dialogs changed to captureFileClosing/Closed
as it does same actions - looks like old style of detecting of capture
file closing.
Run
$ gsed -i -e 's/\(tr *(.*".*\)" *UTF8_HORIZONTAL_ELLIPSIS/\1…"/' $( ag -l 'tr *\(.*" *UTF8_HORIZONTAL_ELLIPSIS' )
$ gsed -i -e 's/\(tr *( *\)UTF8_HORIZONTAL_ELLIPSIS *"/\1"…/' $( ag -l 'tr *\( *UTF8_HORIZONTAL_ELLIPSIS *"' )
in ui/qt. As discussed in #16812, the UTF8_ macros were required at one
time because we only allowed ASCII in our source code. However, that
requirement has since been relaxed and Qt's translation framework
doesn't handle concatenating strings and macros very well.
Introduced QT 5.7 calls in my recent change (also C+11, which is
required for QT >= 5.7). Providing an alternate code path for QT < 5.7
Change-Id: I866af35138d4691a659aee756ce9c3ce4ffb933f
Reviewed-on: https://code.wireshark.org/review/37779
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Use the QT text codec support to add charset conversions for all character
encodings supported by QT to Show Packet Bytes and Follow Stream (Save As
will convert to UTF-8.) Note that this is dynamic and the exact list will
depend on the version of QT and if libicu support is enabled. This does
make the list of codecs pretty long, so hopefully it shows up well on all
the different QT styles.
This does not yet support when multibyte characters span more than one packet
in Follow Stream, though the current code doesn't do that for UTF-8 or UTF-16
already. This is probably most useful for HTTP captures.
Bug: 16137
Change-Id: I6d5cd761a5d9d914b7a787fe8eb02b07b19642e6
Ping-Bug: 16630
Reviewed-on: https://code.wireshark.org/review/37707
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Make sure we set QIODevice::Text on our QTextStreams when saving and
exporting text so that we get native line endings on Windows.
Change-Id: I4602157d2d170eb9a2c79032254ea5be236c7589
Reviewed-on: https://code.wireshark.org/review/37336
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Remove randomly used space inside parentheses to make the coding
style uniform. Add space after if, for and while.
Change-Id: I519f5994b6f73d8a57a5004d51ca460276c618fe
Reviewed-on: https://code.wireshark.org/review/35112
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
The QUIC transport protocol provides a stream, similar to HTTP/2. Make
it possible to look at the stream contents. This can be helpful while
HTTP/3 support is not yet complete.
Known issues that will be addressed in the future:
- If a single packet contains multiple streams, then Follow QUIC Stream
will wrongly include data from streams other than the selected one.
This is tracked by bug 16093 and affects HTTP/2 as well.
- The Substream index menu does not properly filter for available
stream numbers. If a non-existing stream is selected, then changing
to another (potentially valid) index results in the "Capture file
invalid." error. As workaround, clear the display filter first.
- Follow Stream always selects Stream ID 0 instead of the first or
currently selected stream field in a packet. Users should manually
update the stream index as needed.
Change-Id: I5866be380d58c96f0a71a29abdbd1be20ae3534a
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/34694
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HTTP/2 protocol multiplexes a single TCP connection into multiple
independent streams. The Follow TCP output can interleave multiple
HTTP/2 streams, making it harder to analyze a single HTTP/2 stream.
Add the ability to select HTTP/2 Streams within a TCP stream.
Internally, the HTTP/2 dissector now stores the known Stream IDs in a
set for every TCP session which allows an amortized O(n) lookup time for
the previous/next/max Stream ID.
[Peter: make the dissector responsible for clamping the HTTP/2 Stream ID
instead of the Qt code, that should permit future optimizations.]
Change-Id: I5d78f29904ae8f227ae36e1a883155c0ed719200
Reviewed-on: https://code.wireshark.org/review/32221
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexander Gryanko <xpahos@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Using a simple (type *) cast on g_list_next results in a warning
with modern compilers "old-style cast"
Adding a warning for g_list_next and data access to avoid the warning
A good overview why reinterpret_cast has been used can be found here:
https://stackoverflow.com/questions/332030/when-should-static-cast-dynamic-cast-const-cast-and-reinterpret-cast-be-used
It is a 1:1 replacement in this case, but does not use any of the new
cast styles and therefore should be used with caution.
Change-Id: I989f237afc39aaf40133a788b1c0bbd7a51bf974
Reviewed-on: https://code.wireshark.org/review/34284
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
When a stream index is explicitly given (as is done for items from the
Conversations statistics dialog), it does not have to query the stream
index from the packet list. Skip checking the packet list then.
Bug: 15672
Change-Id: I3f79e6a0997726535c38f9766b894b042ffbf916
Reviewed-on: https://code.wireshark.org/review/32972
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
tcp.stream and udp.stream are already unsigned identifiers. An upcoming
http2.hashed_stream identifier can exercise the full unsigned 32-bit
number space, so be sure not to treat the stream identifier as signed
integer.
Change-Id: Ic5d398b2bda7eba7555e385ef3fcd44b490f78c9
Reviewed-on: https://code.wireshark.org/review/32287
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Alexander Gryanko <xpahos@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Rename the "ssl" protocol to "tls" and add an "ssl" alias. Prefer "TLS"
over "SSL" in user interface text and in the documentation.
Fix the test_tls_master_secret test while we're here.
Bug: 14922
Change-Id: Iab6ba2c7c4c0f8f6dd0f6d5d90fac5e9486612f8
Reviewed-on: https://code.wireshark.org/review/29649
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
For formats other than "Raw" and "UTF-8", the written file does not
match the actual stream data. It would be duplicated in strange ways.
Executing the "Save As" action twice while the dialog is open would also
write two different files (huh?).
As a quick fix, just replace the strange save logic by writing the text
field contents. A functional difference is that previously it would
write data while parsing the "follow data" list, now it uses the text
field contents. That data will now be truncated after 500 MB.
Bug: 14933
Change-Id: I498676389d0da3ac070346d6903bd2e6b0fc7674
Fixes: v1.11.0-rc1-2538-g80f9326b2f ("Add TCP/UDP/SSL Follow feature to QtShark")
Reviewed-on: https://code.wireshark.org/review/28663
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
When switching from ASCII to other modes (such as Hex), the previous
text to packet number mapping was not cleared. This resulted in
using the wrong packet number when hovering over the packet data.
Change-Id: I29ba1786925490c33fc9181373a31d51f5091642
Reviewed-on: https://code.wireshark.org/review/28614
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Reverse the payload chunks list to achieve a running time of O(n) rather
than O(n²) for insertion of all chunks. Executing a RelWithDebInfo+ASAN
build with `tshark -r chargen-session.pcapng.gz -qz follow,tcp,hex,0`
previously took 11m5s to complete, but now finishes in 16 seconds.
Tested using a capture file with 152k TCP packets (from bug 11777).
Backport note: must update ui/gtk/follow_stream.c too.
Change-Id: Icf70d45f33d4399e53209fb6199d3809608c8d99
Reviewed-on: https://code.wireshark.org/review/28595
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a WiresharkFileDialog class, which is a thin wrapper around a few
QFileDialog functions that sets per-monitor v2 DPI awareness before
showing native dialogs and resets the awareness context afterward.
Use it where we call QFileDialog::getXXX.
Change-Id: Ib711a70aa94b693a2515804a729f666ea7fbd673
Reviewed-on: https://code.wireshark.org/review/27568
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Move */ to a separate line below the SPDX identifier.
Change-Id: Id1032215449cfccae0933147b45e04b65e0b727f
Reviewed-on: https://code.wireshark.org/review/27211
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the argument to the events a non-memory object
Change-Id: I46d8c24415aa2bc48b2a2d3b1fccffa6956d08b5
Reviewed-on: https://code.wireshark.org/review/26671
Reviewed-by: Roland Knall <rknall@gmail.com>
John Thacker